fix CSRF checking so that localhost always works

This commit is contained in:
Brian Picciano 2022-08-18 20:59:53 -06:00
parent f7b4fd644b
commit 98e0c3e89c

View File

@ -2,23 +2,38 @@ package http
import ( import (
"errors" "errors"
"net"
"net/http" "net/http"
"net/url" "net/url"
"github.com/mediocregopher/blog.mediocregopher.com/srv/http/apiutil" "github.com/mediocregopher/blog.mediocregopher.com/srv/http/apiutil"
) )
func (a *api) checkCSRFMiddleware(h http.Handler) http.Handler { func checkCSRF(r *http.Request, publicURL *url.URL) error {
return http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
if ipStr, _, err := net.SplitHostPort(r.Host); err == nil {
if ip := net.ParseIP(ipStr); ip != nil && ip.IsLoopback() {
return nil
}
}
refererURL, err := url.Parse(r.Referer()) refererURL, err := url.Parse(r.Referer())
if err != nil { if err != nil {
apiutil.BadRequest(rw, r, errors.New("invalid Referer")) return errors.New("invalid Referer")
return
} }
if refererURL.Scheme != a.params.PublicURL.Scheme || if refererURL.Scheme != publicURL.Scheme ||
refererURL.Host != a.params.PublicURL.Host { refererURL.Host != publicURL.Host {
return errors.New("invalid Referer")
}
return nil
}
func (a *api) checkCSRFMiddleware(h http.Handler) http.Handler {
return http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
if err := checkCSRF(r, a.params.PublicURL); err != nil {
apiutil.BadRequest(rw, r, errors.New("invalid Referer")) apiutil.BadRequest(rw, r, errors.New("invalid Referer"))
return return
} }